Any advice on using Offline or Real-time Access Token validation?
by Niels Bertram
We have a bunch of web and mobile apps and an API gateway that use Keycloak
OpenID Connect for security.
At the API gateway end, one has the choice of either validating an access
token using the cryptographic credentials from the identity server (offline
mode) or validate every message on the IdPs instrospection endpoint (real
time).
Using offline validation will not hit the IdP every time an app interacts
with the gateway, but we have the potential to allow transactions through
even though the user has signed out on the SSO server. Using the
introspection endpoint will allow users to sign out and stop all
transactions immediately.
I am concerned that using the real timme validation approach will make the
gateway uptime and performance absolutely dependent on the IdP and that the
IdP needs to be scaled at the rate of the API platform.
Has anyone else had to make a decision which one to use? Any guidance or
thoughts you could share?
8 years, 7 months
Password Hashing in custom User Storage Provider
by Danny Trunk
Hi,
when implementing my own User Storage Provider I've noticed that the
password has to be raw in my database as no Password Hash Provider is
getting triggered.
The User Storage Provider is based on the JPA Example located here:
https://github.com/keycloak/keycloak/tree/master/examples/providers/user-...
When adding some logging into the isValid method of the Provider to see
whats the content of password and cred.getValue() I can see that
password (the one from the database) is hashed whereas cred.getValue()
isn't. That's why it mismatches and the user can see an invalid
credentials error message.
Do I have to call all (as I could have multiple algorithms in my
database without any information which algorithm it is)
PasswordHashProvider myself in this method? I guess that's not the
intended behaviour of the Password Hash Providers?!
Could it be a bug in Keycloak?
8 years, 7 months
Deploy providers
by ko lo
I have keycloak 2.5.4
I'm trying to figure out an example domain-extension.
I registered provider using file-system. It didn't work. Not enough
dependencies
I registered provider using module. It is worked.
I want to register a provider using deploy. I added
jboss-deployment-structure.xml.
I registered using deployer keycloak. Own custom SPI (ExampleSeviceImp) is
not registered (I checked providers in tab server info). But tere is custom
end point example registered.
I execute add company and get NullPointerExeption because Own custom SPI
is not registered.
8 years, 7 months
Role based Policy, User token forbidden from entitlement API
by Sven Thoms
I have users in my realm that I have assigned realm roles to:
realm roles: Master, Apprentice
one such user is
test_user
roles: uma_authorization, Apprentice
When I enable authorization on a client and
1. add a resource besides the default resource to it, say "Second Resource"
2. under Policies - Roles a role-based policy referencing the realm role
Apprentice that my user belongs to
Using the test user’s acess_token gotten from the realm token endpoint:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=admin-cli&username=test_user&password=password&grant_type=password"
\
https://mykeycloak.domain/auth/realms/myrealm/protocol/openid-connect/token
and checking the entitlement API response for the client’s id and using the
bearer access token of the user as well as the payload for the Second
Resource, I always get status code forbidden
curl -v -X POST \
-H "Content-Type:application/json" \
-H 'Authorization: bearer userbearerrertoken' \
-d '{"permissions":[{"resource_set_name:"Second Resource"}]}' \
https://mykeycloak.domainauth/realms/myrealm/authz/entitlement/my_client_id
For the Default Resource, all is fine and I get back an RPT.
Am I missing something regarding the user’s needed roles? According to the
documentation, the role-level permission for the Second Resource should
lead to the user being authorized to access the second resource if any
realm role in a role-based permission for a resource holds.
I am using keycloak 2.5.1.
8 years, 7 months
Possible CSRF issue in account page.
by Ushanas Shastri
Hello,
We have a page where the user account details can be seen (the KeyCloak
realm/account page).
On that page, the user can update his email address etc.
As part of security testing, we found that this page is vulnerable to Cross
Site Request Forgery.
Is this a known issue, or should I report in JIRA?
Also, is there a way to configure some security options in KeyCloak to
prevent CSRF?
Regards, Ushanas.
On 23-Mar-2017 10:28 AM, "Ushanas Shastri" <ushanas(a)gmail.com> wrote:
Thank you, this works.
On 22 March 2017 at 21:39, Marko Strukelj <mstrukel(a)redhat.com> wrote:
> You can add a new admin user by using add-user-keycloak script:
> https://keycloak.gitbooks.io/documentation/content/server_ad
> min/topics/initialization.html.
>
> Then you can log into the Admin Console and set a new password for
> original admin user.
>
> On Wed, Mar 22, 2017 at 12:51 PM, Ushanas Shastri <ushanas(a)gmail.com>
> wrote:
>
>> Hello,
>> How do I reset the admin password? I don't have the admin password, and
>> want to be able to reset it like it was a new install.
>>
>> Regards, Ushanas.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
8 years, 7 months
IdP initiated SSO with Keycloak
by Michael Anthon
We are attempting to implement IdP initiated SSO, similar to what is outlined in this blog... https://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-r...
The main difference is that our SP is using openid to authenticate with Keycloak.
So the configuration is like this...
ADFS(fs.example.com) <---SAML---> Keycloak(kc.example.com) <---openid--->SP(app.example.com)
The SP is set up as a client in a Realm in Keycloak and the ADFS is set up as an identity provider.
In ADFS, Keycloak is set up as a Relying Party.
The intent here is that we can provide the end user with a URL that they can access that will send them to their ADFS portal to login (if required) and have them end up in the application without them having to do anything in Keycloak.
The URL according to the article will be something like
https://fs.example.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3D...
I have been able to set up a standard IdP login via these servers however the situation is that we will have multiple clients accessing the system and we are not allowed to expose who our clients are so we will need to edit the login templates and remove the IdP buttons which is why I'm looking for and IdP initiated solution.
Currently when I attempt this I don't end up in the right place in Keycloak but instead end up at https://kc.example.com/auth/realms/realmid/broker/infoview/endpoint
I'm wondering if anyone has done this and has any pointers on configuring this correctly (or indeed if I'm barking up the wrong tree and it's not possible)
Thanks,
Michael
8 years, 7 months
Custom Error Page
by Troy Wilson
Hi everyone,
I was wondering if anyone has any ideas on how to get keycloak to display
custom error pages.
Background:
We have some custom providers that may throw exceptions.
If one of these exceptions is thrown, we get a stack trace.
We can turn off the stack trace by changing the "stack-trace-on-error"
attribute as described on
https://docs.jboss.org/author/display/WFLY8/Undertow+subsystem+configuration
.
When this attribute is set to none, the server responds with the following
response (copied from fiddler proxy server)
HTTP/1.1 500 Internal Server Error
Connection: keep-alive
Content-Type: text/html;charset=UTF-8
Content-Length: 80
Date: Fri, 24 Mar 2017 00:16:14 GMT
<html><head><title>Error</title></head><body>Internal Server
Error</body></html>
What we would like to do is, display a page in keeping with the theme of
the application, ideally be able to call the
<keycloak-root>/theme/<theme>/login/error.ftl file.
Any help / guidance on this would be greatly appreciated.
Troy
8 years, 7 months
Why doesn't UserCacheSession try to cache the new user model after invalidation?
by Jared Blashka
I've been looking into the UserCacheSession behavior after we updated to
2.5.5.Final and I'm seeing some strange behavior related to cached
UserModel invalidation.
After a UserModel in the user cache is flagged for invalidation, either
because there was some update to the user model (e.g. Adding a required
action when setting up OTP credentials) or the cache's invalidation time
limit was reached, every single subsequent call within that thread to
getUserById or getUserByUsername will delegate that call to the Storage
Provider responsible for that user without caching the result. And it isn't
until the *next* thread that tries to fetch that user from the infinispan
cache that the result is actually cached again.
Is this intended behavior?
In my testing I have an OIDC client and a SAML client for my 2.5.5 server.
If the OIDC client makes a token refresh request after the user has passed
its lifespan time it triggers 7 (each UserPropertyMapper makes a separate
userSession.getUser call) separate invocations of my Storage Provider's
getUserById method, each one triggering a query against our data store. If
I then try to access a second client (my SAML client) Keycloak still
doesn't have the user model cached and delegates the call to my storage
provider yet again, but caches the result this time.
Are our custom Storage Providers expected to cache the results of our
getUserById/Username calls for situations like these? I would think that
UserCacheSession would more gracefully handle cache invalidation so that
every customer with their own Storage Provider wouldn't have to manage
their own additional cache layer on top of what Keycloak is already
providing.
My knowledge of infinispan is pretty lacking, so is there a reason that the
UserCacheSesssion.getUserById call short-circuits to the delegate with:
if (isRegisteredForInvalidation(realm, id)) {
logger.trace("registered for invalidation return delegate");
return getDelegate().getUserById(id, realm);
}
rather than caching the result with something like:
if (invalidations.contains(id)) {
Long loaded = cache.getCurrentRevision(id);
UserModel delegate = getDelegate().getUserById(id, realm);
adapter = cacheUser(realm, delegate, loaded);
invalidations.remove(id)
managedUsers.put(id, adapter);
return adapter;
}
With this behavior we're actually seeing more activity against our backend
server than if we were just using the NO_CACHE policy.
Thanks!
Jared
8 years, 7 months
Re: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS
by Glenn Campbell
(re-sent, forgot to include keycloak-user)
I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
sure of the proper way to turn on SAML logging. I turned on debug logging
for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got in my
log file wasn't very helpful. It looked like most of the info was encrypted
and/or hashed.
However, I think I have a working configuration now. I need to test more to
be sure but it looks promising so far. In my frustration I changed several
things but I think the changes that made a difference were as follows:
1) Self-signed Certificates
The self-signed certificates I'm using in my test environment may have been
getting in my way. Or rather the various machines in my test environment
not trusting the self-signed certificates of the other machines. It is
probably unnecessary but I set all machines in my test environment to trust
the certificates from all other machines. I know client machines will need
to trust the certificates from both my Keycloak machine and my SAML machine
but do the Keycloak and SAML machines need to trust the certificates from
each other?
2) NameID Policy Format
I tried your suggestion of using "Windows Domain Qualified Name" but that
didn't seem to work. I set it to "Unspecified" and that didn't work either
until...
3) ADFS Relying Party Claim mapping
I added a Claim mapping on the Relying Party for Keycloak to map
"SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to have
let things start working.
Being an ADFS novice (or SAML novice in general) I'm not clear on why the
above items make everything work. Can you provide any information regarding
why the above items are important? I'm happy when things work but I'm even
happier when I understand why they work.
Thanks again for all of your help.
On Tue, Mar 7, 2017 at 4:26 PM, Glenn Campbell <campbellg(a)teds.com> wrote:
> I'm using Keycloak 2.5.0. And I think my ADFS is 2.1.
>
> It appears that I don't have permission to view KEYCLOAK-3932 so I'm not
> sure of the proper way to turn on SAML logging. I turned on debug logging
> for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got in my
> log file wasn't very helpful. It looked like most of the info was encrypted
> and/or hashed.
>
> However, I think I have a working configuration now. I need to test more
> to be sure but it looks promising so far. In my frustration I changed
> several things but I think the changes that made a difference were as
> follows:
>
> 1) Self-signed Certificates
> The self-signed certificates I'm using in my test environment may have
> been getting in my way. Or rather the various machines in my test
> environment not trusting the self-signed certificates of the other
> machines. It is probably unnecessary but I set all machines in my test
> environment to trust the certificates from all other machines. I know
> client machines will need to trust the certificates from both my Keycloak
> machine and my SAML machine but do the Keycloak and SAML machines need to
> trust the certificates from each other?
>
> 2) NameID Policy Format
> I tried your suggestion of using "Windows Domain Qualified Name" but that
> didn't seem to work. I set it to "Unspecified" and that didn't work either
> until...
>
> 3) ADFS Relying Party Claim mapping
> I added a Claim mapping on the Relying Party for Keycloak to map
> "SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to have
> let things start working.
>
> Being an ADFS novice (or SAML novice in general) I'm not clear on why the
> above items make everything work. Can you provide any information regarding
> why the above items are important? I'm happy when things work but I'm even
> happier when I understand why they work.
>
> Thanks again for all of your help.
> Glenn
>
> On Tue, Mar 7, 2017 at 4:58 AM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
>
>> What is your Keycloak and ADFS versions? What are the responses you
>> receive from ADFS? Please enable logging of SAML messages to see them (see
>> [1] how to do that).
>>
>> A wild guess: does setting the "NameID Policy Format" [2] to "Windows
>> Domain Qualified Name" help?
>>
>> --Hynek
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-3932?focusedComment
>> Id=13336560&page=com.atlassian.jira.plugin.system.issuetabpa
>> nels%3Acomment-tabpanel#comment-13336560
>> [2] https://keycloak.gitbooks.io/server-adminstration-guide/cont
>> ent/topics/identity-broker/saml.html
>>
>> On 03/03/2017 09:49 PM, Glenn Campbell wrote:
>>
>>> Thank you for your suggestions. Making those changes seems to have
>>> solved that problem. I don't think I would have ever figured that out on my
>>> own.
>>>
>>> Now I'm on to the next problem. When I enter the login credentials on
>>> the SAML IdP login page I get an error in Keycloak and the log file has a
>>> "Could not process response from SAML identity provider" error message with
>>> a root cause of "No assertion from response".
>>>
>>> Do you have any suggestions on what I need to do to fix this problem?
>>>
>>> On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik <hmlnarik(a)redhat.com
>>> <mailto:hmlnarik@redhat.com>> wrote:
>>>
>>> Actually https matters, ADFS had been rejecting any SAML
>>> communication
>>> with keycloak for me until https was enabled. Also for ADFS, there is
>>> a special settings for KeyInfo element that needs to be set to
>>> CERT_SUBJECT in SAML Signature Key Name option of SAML Identity
>>> Provider settings [1].
>>>
>>> [1] https://keycloak.gitbooks.io/documentation/server_admin/topi
>>> cs/identity-broker/saml.html <https://keycloak.gitbooks.io/
>>> documentation/server_admin/topics/identity-broker/saml.html>
>>>
>>>
>>> On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell <campbellg(a)teds.com
>>> <mailto:campbellg@teds.com>> wrote:
>>> > What is the correct way to set up identity brokering from Keycloak
>>> to ADFS?
>>> > I’m new to ADFS so I suspect I’ve configured something incorrectly
>>> there.
>>> >
>>> > Here’s what I’ve done so far:
>>> >
>>> > 1) Installed ADFS.
>>> > 2) Opened ADFS Management.
>>> > 3) Walked through the ADFS Configuration Wizard.
>>> > At one point in the process it asked which certificate I wanted to
>>> use. I
>>> > didn’t have one so I went into IIS Manager and created a
>>> self-signed
>>> > certificate. Then I came back to the ADFS Configuration Wizard and
>>> selected
>>> > the newly created certificate.
>>> > At the end of the process there was a list of configuration items
>>> that had
>>> > been performed and they all had green checkmarks by them.
>>> > Clicked Close.
>>> >
>>> > 4) At this point ADFS Management said I needed to configure a
>>> Trusted
>>> > Relying Party so I went to Keycloak to start setting up that side
>>> of things.
>>> > 5) Since the certificate used by ADFS is self-signed I exported it
>>> from IIS
>>> > and imported it into the Wildfly jssecerts where Keycloak is
>>> running and
>>> > restarted Wildfly/Keycloak.
>>> > 6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
>>> > server>/FederationMetadata/2007-06/FederationMetadata.xml
>>> > 7) In Keycloak admin console, on the Identity Providers page I
>>> chose “Add
>>> > provider… SAML v2.0”
>>> > 8) Entered an alias for the new IdP then in “Import from file ->
>>> Select
>>> > File” I chose the FederationMetadata.xml that I acquired from the
>>> ADFS
>>> > server.
>>> > 9) Saved the IdP configuration.
>>> > 10) Went to the Export tab of the newly created IdP and downloaded
>>> the xml
>>> > config file.
>>> >
>>> > 11) At this point I went back to ADFS Management and followed the
>>> steps to
>>> > create a Trusted Relying Party, choosing to import data about the
>>> relying
>>> > party from the xml file exported from Keycloak.
>>> > 12) For the rest of the Relying Party configuration I accepted the
>>> defaults.
>>> >
>>> > When I go to the url for my application I’m redirected to the
>>> Keycloak
>>> > login screen where I select the Identity Provider I configured. I
>>> get a
>>> > security certificate warning since the certificate from the server
>>> is
>>> > self-signed but I choose to continue despite the warning. Then I
>>> get an
>>> > error page saying there was a problem accessing the site. I don’t
>>> get the
>>> > ADFS page where I would enter my login credentials.
>>> >
>>> > I don’t know if it matters but my application and Keycloak
>>> currently use
>>> > http rather than https.
>>> >
>>> > Any help would be greatly appreciated.
>>> > Thanks in advance,
>>> > Glenn
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jb
>>> oss.org>
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user <
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>> --
>>>
>>> --Hynek
>>>
>>>
>>>
>
8 years, 7 months
How to configure keycloak management client to allow users manage a subset of other users?
by Celso Agra
Hi all,
My question is more about how to configure and create a structure to manage
the Keycloak without expose my api with any security problems...
So, I belong to a governamental organization, and we choose keycloak to
manage our applications.
So, my application would have three kind of users: administrator, superuser
and common user, and all of these users has an special attribute named
"organizational unit". So they belongs to different governamental
organizations (each "organizational unit" is a governamental entity or
organization)
So, I'd like that my administrator have permissions to manage all users in
keycloak, and my superuser has permissions to manage only the common users
that belongs to the same "organizational unit" of him. So, How can I
configure this with keycloak?
I believe I have to configure the client "Realm-Management" to do that, but
how could I allow superusers to manage the common users in the same
"organizational unit"? I can't use different realms because I have only one
application for that!
Best regards,
--
---
*Celso Agra*
8 years, 7 months
